I am trying to connect two different subnets on a rb1100 and i am facing the following issue.
I have a hotspot network that belongs to the rb1100 with a range of 172.21.0.0/16 on interface ether11 which in turn end up to a couple of access points for internet access.
On these access points i have created virtual ones and link them with the RB1100 with a VLAN and subnet 192.168.100.0/24.
Now there is a seperate network coming from a different router (not mikrotik but a simple ISP router) with a range of 192.168.30.0/24.
I want to make this network communicate both ways with 172.21.0.0/16 and 192.168.100.0/24.
What i did is i took a free IP address from the 192.168.30.0/24 network (192.168.30.80) and i run a wire to a free ethernet port on my RB1100 (ether10).
I added the address 192.168.30.80/24 to that port (ether10) which is not bridged with the rest of the network as the 30.0 network has its own DHCP server and i don't want conflicts.
I used scrnat ether10 masquerade and what i achieved with this is that the 172.21.0.0/16 and 192.168.100.0/24 can ping and communicate with the 192.168.30.0/24.
I can't seem to achieve the other way around. The 192.168.30.0/24 to ping to 172.21.0.0/16 and 192.168.100.0/24.
Other than the masquerade rule i haven't added any other rules or routes maybe i am missing out something there?
Thanks in advance.
Code: Select all
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether10 ] comment="Management Link" l2mtu=1600 name=\
10MGMLINK speed=100Mbps
set [ find default-name=ether1 ] name=WAN1 speed=100Mbps
set [ find default-name=ether2 ] name=WAN2 speed=100Mbps
set [ find default-name=ether3 ] name=WAN3 speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether11 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether12 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether13 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add comment=vlan100 interface=ether11 name=vlan100 vlan-id=100
/interface list
add name=OTE
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=""
/ip firewall layer7-protocol
add name=streaming regexp=videoplayback|video
add name=facebook regexp=facebook|fbcdn.net
/ip hotspot profile
set [ find default=yes ] login-by=http-chap,http-pap
add hotspot-address=172.21.1.1 login-by=http-chap,http-pap name=hsprof1 \
radius-interim-update=2m use-radius=yes
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=no idle-timeout=2h keepalive-timeout=\
2h shared-users=2
add add-mac-cookie=no idle-timeout=1h keepalive-timeout=1h \
!mac-cookie-timeout name=uprof1 shared-users=10
add idle-timeout=2w keepalive-timeout=2w name=Free shared-users=1000
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=hs-pool-14 ranges=172.21.0.1-172.21.1.0,172.21.1.2-172.21.255.254
add name=vlan100 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=hs-pool-14 disabled=no interface=bridge1 lease-time=1d name=\
dhcp1
add address-pool=vlan100 disabled=no interface=vlan100 lease-time=1d name=\
vlan100
/ip hotspot
add address-pool=hs-pool-14 disabled=no idle-timeout=2h interface=bridge1 \
keepalive-timeout=2h name=hotspot1 profile=hsprof1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge1 interface=ether11
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set tcp-syncookies=yes
/interface list member
add interface=WAN1 list=OTE
add interface=WAN2 list=OTE
add interface=WAN3 list=OTE
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.5/24 interface=WAN1 network=192.168.1.0
add address=192.168.2.5/24 interface=WAN2 network=192.168.2.0
add address=172.21.1.1/16 interface=bridge1 network=172.21.0.0
add address=192.168.3.5/24 interface=WAN3 network=192.168.3.0
add address=192.168.30.80/24 interface=10MGMLINK network=192.168.30.0
add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=172.21.0.0/16 comment="hotspot network" gateway=172.21.1.1
add address=192.168.100.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=8192KiB \
max-udp-packet-size=8192 servers=1.1.1.1,8.8.8.8
/ip dns static
add address=172.21.1.1 name=router.lan
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input dst-port=4002 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=WAN1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=WAN1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=WAN2 protocol=udp
add action=drop chain=input dst-port=53 in-interface=WAN2 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=WAN3 protocol=udp
add action=drop chain=input dst-port=53 in-interface=WAN3 protocol=tcp
add action=drop chain=input comment="drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=" fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=OTE
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24 hotspot=auth \
in-interface=bridge1
add action=accept chain=prerouting dst-address=192.168.2.0/24 hotspot=auth \
in-interface=bridge1
add action=accept chain=prerouting dst-address=192.168.3.0/24 fragment=no \
hotspot=auth in-interface=bridge1
add action=mark-connection chain=input hotspot=auth in-interface=WAN1 \
new-connection-mark=WAN1_mark passthrough=yes
add action=mark-connection chain=input hotspot=auth in-interface=WAN2 \
new-connection-mark=WAN2_mark passthrough=yes
add action=mark-connection chain=input hotspot=auth in-interface=WAN3 \
new-connection-mark=WAN3_mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_mark hotspot=auth \
new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_mark hotspot=auth \
new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN3_mark hotspot=auth \
new-routing-mark=to_ISP3 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=\
auth in-interface=bridge1 new-connection-mark=WAN1_mark passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=\
auth in-interface=bridge1 new-connection-mark=WAN2_mark passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=\
auth in-interface=bridge1 new-connection-mark=WAN3_mark passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_mark hotspot=\
auth in-interface=bridge1 new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_mark hotspot=\
auth in-interface=bridge1 new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_mark hotspot=\
auth in-interface=bridge1 new-routing-mark=to_ISP3 passthrough=yes
add action=mark-packet chain=prerouting comment="Mark Packet Streaming" \
disabled=yes layer7-protocol=streaming new-packet-mark=streaming \
passthrough=no
add action=mark-packet chain=prerouting comment="Mark Packet Facebook" \
disabled=yes layer7-protocol=facebook new-packet-mark=facebook \
passthrough=no
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge1 new-connection-mark=WAN1_mark passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge1 new-connection-mark=WAN2_mark passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge1 new-connection-mark=WAN3_mark passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_mark \
in-interface=bridge1 new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_mark \
in-interface=bridge1 new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_mark \
in-interface=bridge1 new-routing-mark=to_ISP3 passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN3
add action=masquerade chain=srcnat out-interface=10MGMLINK
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.21.0.0/16
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes
/ip hotspot ip-binding
add mac-address=78:7E:61:BB:9E:07 type=bypassed
add mac-address=0C:77:1A:0A:D5:58 type=bypassed
add mac-address=D0:33:11:2E:1F:A4 type=bypassed
add mac-address=98:F1:70:5A:BC:4E type=bypassed
add address=172.21.10.99 comment="PC Reception" server=hotspot1 type=bypassed
add address=172.21.10.98 server=hotspot1 type=bypassed
add address=172.21.10.10-172.21.10.105 comment=Antennas_Switches server=\
hotspot1 type=bypassed
add address=172.21.10.180 comment=CRS112 server=hotspot1 type=bypassed
/ip hotspot user
add name=stavros profile=uprof1
add name=takis profile=uprof1
add name=bluesky profile=Free server=hotspot1
/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-mark=to_ISP1
add distance=1 gateway=10.0.0.1 routing-mark=to_ISP1
add check-gateway=ping distance=2 gateway=221.132.112.8 routing-mark=to_ISP2
add distance=2 gateway=10.0.0.2 routing-mark=to_ISP2
add check-gateway=ping distance=3 gateway=8.8.4.4 routing-mark=to_ISP3
add distance=3 gateway=10.0.0.3 routing-mark=to_ISP3
add distance=1 gateway=10.0.0.1
add distance=2 gateway=10.0.0.2
add distance=3 gateway=10.0.0.3
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.3.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.1.1 scope=10
add check-gateway=ping distance=1 dst-address=10.0.0.1/32 gateway=8.8.8.8 \
scope=10
add check-gateway=ping distance=1 dst-address=10.0.0.2/32 gateway=\
221.132.112.8 scope=10
add check-gateway=ping distance=1 dst-address=10.0.0.3/32 gateway=8.8.4.4 \
scope=10
add distance=1 dst-address=221.132.112.8/32 gateway=192.168.2.1 scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=4003
set ssh disabled=yes
set api disabled=yes
set winbox port=4002
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/radius
add address=11.0.0.1 disabled=yes service=hotspot
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Athens
/system identity
set name="Blue Sky"
/system note
set show-at-login=no
/system ntp client
set enabled=yes primary-ntp=194.177.210.54
/system ntp server
set enabled=yes manycast=no
/system scheduler
add interval=10m name=ip-cloud-forceupdate on-event="/ip cloud force-update" \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=oct/29/2018 start-time=18:05:49
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes
/tool romon port
add